Emerging Risk Management Frameworks for Success • 175
We will end our GRC conversation with some comments from a senior
risk manager at McKesson, the nation’s oldest and largest health care ser-
vices company. e senior manager of IT governance, risk, and compli-
ance at McKesson provides his view about the GRC framework when he
says that GRC is about organizational collaboration including internal
audit, technology risk management, compliance groups, legal, and more.
He further argues that most companies are faced with organizational
and functional silos, poor integration, lack of visibility, wasted resources,
unnecessary complexity, and wasted information.
Over the past few years, McKesson has acquired a number of com-
panies. Each acquisition has required McKesson to take on a new set of
challenges in terms of developing an integrated platform. McKesson’s risk
manager maintains it is dicult to reduce cost if you don’t have an inte-
grated view of the activities within your organization, something the GRC
framework demands. is means sometimes you have to step away from
the tactical tools and process controls. If your leaders are not visionary
and don’t understand what they don’t know, this risk manager argues you
have serious challenges ahead. e visionary leader ship at McKesson has
enabled the risk management team to make great strides toward an inte-
grated GRC platform. is senior risk manager argues a company must
have visionary leader ship, communications, an enterprise- wide perspec-
tive, fact- driven analytics, and stakeholder engagement to be successful.
If a company maintains these basic GRC elements, the end result will be
unprecedented transparency and visibility, the ability to make risk- based
decisions, accountability, and alignment across the business.
10
RISK TAXONOMIES—AN OPERATIONAL
FRAMEWORK FOR SCRM
We’ve mentioned several strategic frameworks that are critical success
factors to an eective supply chain risk management discipline. To make
managing an enterprise- wide risk management process simple and practi-
cal, we need to take complex material, break it down, and make it acces-
sible to everyone in an organization. What is needed is the ability to build
a more operationally oriented methodology, something we will refer to as
a risk taxonomy. Taxonomy is the practice and science of naming, clas-
sifying, and dening relationships between resources, risks, goals, and
176 • Supply Chain Risk Management: An Emerging Discipline
business processes across an enterprise. Without risk taxonomies or a way
to structure and classify risk events, it is dicult to understand dierent
types of risks across the enterprise. And without taxonomies there is no
common set of standards or way to manage relationships between dif-
ferent data types. If each area of the business uses its own terms to clas-
sify risk, then the aggregated information will be subjective, incomplete,
redundant, or at best, awed. Each silo in an organization and level within
each silo will speak a dierent dialect.
e basic approach when creating a risk taxonomy is to develop a com-
mon framework for all risks, their readiness standards, and a balanced
scorecard of objectives. To handle the complexity of a large- scale sup-
ply chain, this approach obviously requires a tool to eectively manage
built- in libraries for use across the enterprise and highlight how one risk
event in one functional area aects other functions. ese tools enable
the organization to create structured, centralized repositories of all risk
elements within the organization. Some of these elements are risks, goals,
requirements, relationships (vendors, customers, third parties), soware
applications, physical assets (buildings, servers, data centers, plants, equip-
ments, and tools), data repositories, people, policies, and user- dened
applications (models and spreadsheets). For each of these elements, tax-
onomy tools and techniques allow for exibility and customization to
manage cross- functional cause- and- eect relationships. Some basic capa-
bilities of these taxonomy tools include the following:
• Creating and Maintaining a Central Repository of Information—
is could include the use of predened elds or completely custom-
ized data elements needed by the organization.
• Full Document Management—is should provide the ability to
upload documents, link them to shared applications, with a version
control aspect and permission rights so that all information related
to these areas can be centrally stored.
• Enterprise- wide Task Management—From a more tactical per-
spective, this could provide for creating automatic reminder e- mail
triggers for due dates, contract renewal dates, monitoring dates,
approvals, and change notications.
• Risk Assessment Scoring—In this area, tools can provide best- practice
assessment factors or allow organizations to develop their own risk
factors. With this capability, organizations can rate these elements to
Emerging Risk Management Frameworks for Success • 177
determine priorities and criticality. ey normally allow the company
to also enter explanations for each of the assessments, thereby codify-
ing the point- in- time assessment for future analysis and trends.
A risk taxonomy manages all the risk elements and links them to other
elements within the organization to create a network of terms, deni-
tions, and resource relationships. It codies all the things that an organ-
ization should worry about before surprises occur, manages those things
in one place with connections to provide assurance that these elements
are actually being done eectively to mitigate risk. And in some cases,
taxonomy tools provide the content to alert the organization to important
changes within an industry and to be in a position to identify who and
what resources are connected to or impacted by an industry or compli-
ance issue.
LEVERAGING ERM, GRC, AND RISK TAXONOMIES
e importance of SCRM can’t be stressed enough, as Ericsson found
out in March of 2000. During this period, Ericsson, a leading mobile
phone manufacturer, experienced a disruption in supply from Phillips
Electronics. A lightning strike caused a re at a Phillips facility in Arizona,
resulting in the loss of millions of microchips and rendering this supplier
dormant. Ericsson’s production was totally disrupted because Phillips was
the buyer’s sole supplier of microchips. is disruption resulted in $400
million of lost sales and eventually caused Ericsson to exit the phone busi-
ness. Conversely, Nokia, Ericsson’s main competitor, had a multisource
supplier strategy and quickly ramped up the production of microchips
from another supplier. Nokia managed the supply chain risk and actually
turned this risk event into an opportunity. Aer this risk event Ericsson
implemented a risk management process that includes the identication,
assessment, treatment, and monitoring of risks across its supply chain.
e company created a corporate function called corporate risk manage-
ment that consists of a council of members in supply and sourcing as well
as members from each business area. Ericsson also created a risk manage-
ment evaluation tool, which appears in Figure9.3. is process looks at
all areas of the supply chain, both internally and externally, along with
178 • Supply Chain Risk Management: An Emerging Discipline
contingency planning to analyze risk exposure. Ericsson and Nokia are
now two of the most ardent advocates of SCRM and actually don’t talk
much about their integrated SCRM approaches because they both con-
sider these tools, techniques, and methodologies a strategic advantage.
11
Leggett & Platt, Inc., a 125-year- old manufacturer of sleep technol-
ogy that introduced the rst bedspring and now designs and produces a
diverse array of products for homes, oces, and vehicles, took a risk more
than 10years ago and introduced an ERM project across its entire orga-
nization.
12
In the mid-1990s, a company vice- president attended several
ERM classes facilitated by the RIMS organization and felt the ERM pro-
cess would benet Leggett & Platt. However, the concept languished until
the CFO raised the topic of implementing an ERM program. e company
quickly formed a committee to launch the program.
e ERM committee consists of the functional heads at the corporate
level, including the CFO, treasurer, and vice- presidents of IT, tax, legal,
audit, and accounting. Each functional head identied internal and exter-
nal risks in their own disciplines. ey then assessed those risks in terms
of severity and frequency. e committee continuously categorizes these
risks, tracks them, plots them, and reports on them at every committee
meeting. e committee now rates all risks and correlates them against
other risks and operational key performance indicators (KPIs). Some
Financial
Business Control
– Management systems
– Environment, quality,
information security
– Risk Management policies
– RM organization
– Audits & Inspections
Hazards at the Site
Secure sourcing
– Material
– Risk management
Property protection
– Buildings
– Site protection
– Fire Prevention
– Resource shortages
– Chemical products
Environment
Distribution
Production
– Critical equipment and tools
– Service and maintenance
– Spare parts
– Bottlenecks
Employees
– Staff training
– Key persons
Flexibility and capacity
Information
– Information Security
– IT-platforms
– Computer rooms
Hazards in the
Surroundings
Natural
– Avalanche
– Blizzards, ice and winter storms
– Drought or extreme heat
– Earthquake or tsunami
– Floods or flash floods
– Fires (forest/brush)
– High winds, hurricanes or
tornadoes
– Landslides or mud flows
– Lightning or thunderstorms
– Volcanoes
Man-made
– Dams or locks
– Domestic disturbances
– Risky production units or
warehouses
– Severe environmental pollution
– Resource shortages in the area
– Severe building collapses, fires or
explosions
– Transportation incidents
– Other hazards
Business Interruption
Handling
Interruption handling
– Business interruption
analysis
Business continuity plans
– Mitigation measures
– Contingency plan
– Crisis organization
Incident handling
– Investments
– Cash flow
– Solidity
– Cash position
– Liability
– Capital turnover
– Owner structure
FIGURE 9.3
Ericsson risk management and evalulation tool (ERMET).
Emerging Risk Management Frameworks for Success • 179
lessons learned include (1) risk is a big part of business and if you don’t
take risks, you limit your potential for success; (2) taking on too much
risk threatens a company’s survival; (3) categorize risks in terms of sever-
ity, develop treatments for those dierent risk issues, and overtly man-
age those risks; and (4) without an ERM framework, a company does not
have a process that is predictable and sustainable to identify, assess, miti-
gate, and manage risk.
From a GRC perspective, one company that stands out is Bayer Crop
Science. Led by the director of forecasting and Sales and Operations
Planning (S&OP), the company has developed a comprehensive approach
for managing risk throughout its global supply chain. e forum used by
Bayer Crop Science is its S&OP process. e framework they use is the
classic GRC framework supported by the SCOR model.
13
According to
the director of forecasting, risk management plays an integral part in the
execution of Bayer’s S&OP process. is approach allows the business to
get a better feel for potential dangers and the impact they may have on the
business. Bayer Crop Science is also an advocate of the GRC framework
presented earlier in the chapter.
Another company focusing on SCRM and exercising diligence in terms
of developing and maintaining a risk taxonomy is Coca- Cola. e formal
SCRM group at Coca- Cola is driven by three directors of supply chain
risk. Having an actual corporate group structured to drive supply chain risk
and led by SCRM directors is still novel. e SCRM group utilizes many
of the SCOR model elements, which include many of the Supply Chain
Council’s risk protocols, process maps, and metrics. e key aspect of
Coca- Cola’s approach to SCRM is its dedication to classifying and cat-
egorizing all risks within the company’s global supply chain. Coca- Cola
classies and categorizes risks based on severity, treating risks dierently,
and maintaining a strict methodology to classify its risks. How do they do
this? e company has built what it calls “risk registers.” Every business
unit maintains its own risk register, every region maintains a rolled- up or
aggregated risk register, and every risk register is rated and compared with
a corporate risk tolerance table before action is taken. e risk registers are
updated and reviewed quarterly by the SCRM group. From a 50,000-foot
level, Coca- Cola classies risks primarily into strategic and operational
risks, which Figure9.4 illustrates.
e actual risk register identication and assessment process operates as
follows. When a risk event occurs, employees access the online, worldwide
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.